'Cloudy' Forecast for PHI

How secure is cloud computing as far as protecting patient data? At a time when many health providers are considering the use of the cloud, it’s a question worth considering.

Taking advantage of the cloud means trusting a third-party cloud vendor with your organization’s data. That means thoroughly evaluating a cloud operator, and getting a detailed picture of how your organization’s data will be stored on its servers, what sorts of protections it offers against unauthorized access to the data, and what sort of track record the cloud vendor has in healthcare.

The other side of the picture is what applications are appropriate to the cloud. I recently had an opportunity to speak with Rick Schooler, senior vice president and CIO of Orlando Health, a six-hospital system in central Florida. He says the cloud may be an acceptable risk for certain types of applications, such as software as a service, or using it to store revenue cycle data that can be used for business intelligence purposes. In those applications, security is a concern, but may well be an acceptable risk.

But what about the cloud and protected health information? “That’s a bridge that not many people have crossed in the healthcare world, putting PHI in the cloud,” Schooler says.

Breaches are on the Rise

An editorial in the June 29 New York Times addresses the use of the cloud by corporations, citing breaches by hackers who stole names, email addresses and passwords of millions of users in recent weeks. It cites a survey by the Ponemon Institute that found that nine out of 10 companies surveyed suffered an online attack in recent months. It also noted that Dropbox, a popular storing documents and other files on its cloud, allowed anyone to log into its 25 million user accounts using any password for a period of several hours recently.

While the editorial does not single out the healthcare industry, providers are not exempt to any of these potential attacks. In May, according to the Times, the Obama administration proposed legislation to ensure that companies running critical infrastructure have adequate to reduce the risk of an online attack.The attention on cloud security is worth noting, and it should give extra pause for organizations with regard to PHI.

Comments

Hi John, you may be right that PHI in the public cloud presents risky security and availability issues, but there's no reason that private or managed clouds within a HIPAA compliant environment can't be as secure, or even more secure, than a traditional managed dedicated server. In fact, you can't beat the disaster recovery resiliency of cloud computing compared to managed dedicated servers, and when patient information is critical path, PHI availability is as important (or more in a life-and-death situation) than security. But thankfully, you don't have to sacrifice security for availability benefits in the cloud. One key to prove due diligence is to seek a cloud hosting provider that has been independently HIPAA audited and found to be compliant across all 54 HITECH citations. They are out there.